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This privacy notice applies to The Queen’s College 
Old Members, donors, and supporters 


A summary of what this notice explains 


The Queen’s College (“the College”) is committed to protecting the privacy and security of personal 
data. 


This notice explains what personal data the College holds about Old Members, donors and 
supporters (“you”), how we use it internally, how we share it, how long we keep it and what your 
legal rights are in relation to it. 


For the parts of your personal data that you supply to us, this notice also explains the basis on which 
you are required or requested to provide the information. For the parts of your personal data that 
we generate about you, or that we receive from others, it explains the source of the data. 


There are some instances where we process your personal data on the basis of your consent. This 
notice sets out the categories and purposes of data where your consent is needed. 


The College has also published separate notices, which are applicable to other groups and activities. 
Those notices may also apply to you, depending on your circumstances, and it is important that you 
read this privacy notice together with other applicable privacy notices: 
1. current students 
current staff, office holders and senior members 
archives (which explains what data we hold in our archive) 
security, maintenance and health and safety (including how we use CCTV) 
website and cookies (including how we monitor use of our website) 


vob WN 


You can access past versions of our privacy notices at https://www.queens.ox.ac.uk/gdpr. 





What is your personal data and how does the law regulate our use of it? 


“Personal data” is information relating to you as a living, identifiable individual. We refer to this 
as “your data”. 


Data protection law requires the College (“us” or “we”), as data controller for your data: 
e To process your data in a lawful, fair and transparent way; 
e To only collect your data for explicit and legitimate purposes; 
e To only collect data that is relevant, and limited to the purpose(s) we have told you about; 
e To ensure that your data is accurate and up to date; 
e To ensure that your data is only kept as long as necessary for the purpose(s) we have told 
you about; 
e To ensure that appropriate security measures are used to protect your data. 


Contact Details 


If you need to contact us about your data, please contact: 


The Revd Katherine Price 
Data Protection Officer 
The Queen’s College 


Oxford 


OX1 4AW 


Telephone: 01865 279143 
Email: katherine. price@queens.ox.ac.uk 


What personal data we hold about you and how we use it 


We may hold and use a range of data about you at different stages of our relationship with you. We 


might receive this data from you; we might create it ourselves, or we might receive it from someone 
else (for example, the University of Oxford or student societies that you were a member of). 


Categories of data that we collect, store and use include (but are not limited to): 


Contact details that you provide to us, including names, addresses and telephone numbers. 
Details of prizes, scholarship and/or bursaries you support. 

Donation histories, including contacts made, details of amounts given and pledged, projects 
supported and Gift Aid forms. 

Financial information including your contact information and details of invoicing and 
outstanding payments (including banking or other payment information) for facilities and 
services provided by the College at your request. We also engage a third party providers to 
process credit card and direct debit payments to us. A link to their privacy notices can be 
viewed by clicking on the link to give online on our website: 
https://www.queens.ox.ac.uk/give-online. 





Dietary and accessibility requirements 

Details of criminal convictions or charges to the extent these are required for compliance 
with our legal obligations. 

Photographs, audio and video recording of College events that you attend. 


Further categories of data that we hold in relation to Old Members, donors and supporters are set 


out in our Record of Processing Activity. 


The lawful basis on which we process your data 


The law requires that we provide you with information about the lawful basis on which we process 


your personal data, and for what purpose(s). 


Most commonly, we will process your data on the following lawful grounds: 


Where it is necessary to perform the contract we have entered into with you; 
Where necessary to comply with a legal obligation; 
Where it is necessary for the performance of a task in the public interest; 


e Where it is necessary for our legitimate interests (or those of a third party) and your 
interests and fundamental rights do not override those interests. 


We may also use your personal information, typically in an emergency, where this is necessary to 
protect your vital interests, or someone else’s vital interests. In a small number of cases where other 
lawful bases do not apply, we will process your data on the basis of your consent. 


How we apply further protection in the case of “special categories” of personal data 


"Special categories" of particularly sensitive personal information require higher levels of 
protection. We need to have further justification for collecting, storing and using this type of 
personal information. 


The special categories of personal data consist of data revealing: 
e racial or ethnic origin; 
e political opinions; 
e religious or philosophical beliefs; 
e trade union membership. 


They also consist of the processing of: 
e genetic data; 
e biometric data for the purpose of uniquely identifying someone; 
e data concerning health; 
e data concerning someone's sex life or sexual orientation. 


We may process special categories of personal information in the following circumstances: 
e With your explicit written consent; or 
e Where it is necessary in the substantial public interest, in particular: 
o for the exercise of a function conferred on the College or anyone else by an 
enactment or rule of law; or 
o for equal opportunities monitoring; 
e Where the processing is necessary for archiving purposes in the public interest, or for 
scientific or historical research purposes, or statistical purposes, subject to further 
safeguards for your fundamental rights and interests specified in law. 


We have in place appropriate policy documents and/or other safeguards which we are required by 
law to maintain when processing such data. 


Less commonly, we may process this type of information where it is needed in relation to legal 
claims or where it is needed to protect your interests (or someone else's interests) and you are not 
capable of giving your consent, or where you have already made the information public. 


Criminal convictions and allegations of criminal activity 
Further legal controls apply to data relating to criminal convictions and allegations of criminal 


activity. We may process such data on the same grounds as those identified for “special categories” 
referred to above. 


Further processing activity carried out by the College which relates to criminal offences or 
allegations involving donors and supporters including prospective donors and supporters (for 
example, in relation to money laundering or bribery offences) is also carried out for the purposes 
of: 
1. complying with, or assisting other persons to comply with, a regulatory requirement which 
involves the College taking steps to establish whether another person has: 
a. committed an unlawful act, or: 
b. been involved in dishonesty, malpractice or other seriously improper conduct; and 
2. Inthe circumstances, the College cannot reasonably be expected to obtain your consent to 
the processing, and the processing is necessary for reasons of substantial public interest. 


Details of our processing activities, including our lawful basis for processing 

Details of the lawful bases we rely on for the processing of the categories of data that we hold in 
relation to Old Members, donors and supporters are set out in our Record of Processing Activity. 
Details of retention periods, plus details of parties to whom we transfer data, and on what basis, are 
available here. 


Profiling 


The College may analyse the personal information we collect about you, including your known 
interests, activities and/or hobbies, in order to build a profile which helps us to decide what 
communications are likely to be of interest to you. In addition to information that you have 
provided to the College over time, we may be given information by your family, friends, colleagues 
and acquaintances. We may also seek out information, using public and/or private databases, in 
order to fill-in gaps in our knowledge and thereby deepen our relationship with you. 


We may seek out publicly available information about you, such as changes in employment, 
directorships, achievements, honours and other news. We may also consult commercial providers 
who collate publicly available information including about your employment, directorships, 
achievements, honours and other news about you which is indicative of your behaviour as a 
potential donor. Information collected may include the likely value of your residence (based on 
your postcode), and past records of support and/or donations to charity where this is recorded on 
publicly available websites, via public social media, or in filed charity accounts). Information 
gathered is then combined with that already held, in order to assess your ability to contribute to 
the College’s projects and initiatives, or to provide a legacy donation. 


While we do have a legitimate interest in carrying out such analysis, you have the right to request 
that we do not process your personal data in this way. 


We do not outsource profiling activity. If we decide to outsource such activity in future, we will 
inform you of who we are outsourcing the activity to and provide you with not less than 1 month’s 
notice of this. 


Data that you provide to us and the possible consequences of you not providing it 


Most data that you give to us is provided on a wholly voluntary basis — you have a choice whether 
to do so. Examples include: 


e Disability and health condition information, which you may choose to provide to us in 
order that we can take this information into account when considering whether to make a 
reasonable adjustment under the Equality Act 2010, for example in relation to accessibility. 

e Gift Aid information, which you may choose to provide while making philanthropic 
donations in order that the College and/or the University is able to recover Gift Aid amounts 
in relation to your donations. 


The consequences for any failure to provide such data will depend on the particular circumstances. 
For example, if you decide not to provide information about your disability, this might mean that 
we cannot make a reasonable adjustment to assist you. 


Other sources of your data 


Apart from the data that you provide to us, we may also process data about you from a range of 
sources. These include: 

e Data that we generate about you, such as when communicating with you, receiving your 
donations, and/or inviting you to or arranging your attendance at events the College; 

e The University of Oxford, which operates a number of systems that Colleges have access to, 
including the Development and Alumni Relations System; 

e Organisations such as Americans for Oxford, Inc., the Swiss Friends of Oxford, and the 
German Friends of Oxford University; 

e Third parties who process donations that you make to the College such as the University 
shop, DonorDebit, Hubbub, Paypal and Just Giving (and similar payment and donation 
portals); 

e Local and international media sources, when you are mentioned in published articles, lists 
or other commentary; 

e Fellow Old Members of the College, family members, friends, visitors to the College and 
other contacts who may provide us with information about you if and when they contact 
us, Or vice versa. 


Our Record of Processing Activity indicates the sources of each of the various categories of data 
that we process. 





How we share your data 


We do not, and will not, sell your data to third parties. We will only share it with third parties 
external to the collegiate University, if we are allowed or required to do so by law. 


Examples of bodies to whom we are required by law to disclose certain data include, but are not 
limited to: 


Organisation Why? 


HM Revenues & Customs (HMRC) Information released to HM Revenue & Customs (HMRC) in 
order to collect Gift Aid contributions. 

Charities Commission In response to official investigations regarding our charitable 
status and activities, and/or in relation to statutory returns or 
audits. 


Examples of bodies to whom we may voluntarily disclose data, in appropriate circumstances, 
include but are not limited to: 


Organisation Why? 


The University of Oxford, Americans Contact information, education and interest data, and whether a 

for Oxford Inc., Swiss Friends of person is a donor may be shared within the collegiate University. 

Oxford University, German Friends Additional data may also be shared to facilitate joint events 

of Oxford University 

Third party service providers To facilities activities of the College. Any transfer will be subject 
to an appropriate, formal agreement between the College and the 
processor. 


Where information is shared with third parties, we will seek to share the minimum amount of 
information necessary to fulfil the purpose. 


All our third party service providers are required to take appropriate security measures to protect 
your personal information in line with our policies, and are only permitted to process your personal 
data for specific purposes in accordance with our instructions. We do not allow our third party 
providers to use your personal data for their own purposes. 


More extensive information on the categories of recipients of your data is set out here. 
Sharing your data outside the European Union 
The law provides various further safeguards where data is transferred outside of the EU. 


When you are resident outside the EU in a country where there is no “adequacy decision” by the 
European Commission, and an alternative safeguard is not available, we may still transfer data to 
you which is necessary for performance of your contract with us. 


Otherwise, we may transfer your data outside the European Union, but only for the purposes 
referred to in this notice and provided either: 
e There is a decision of the European Commission that the level of protection of personal data 
in the recipient country is adequate; or 
e Appropriate safeguards are in place to ensure that your data is treated in accordance with 
UK data protection law, for example through the use of standard contractual clauses; or 
e There is an applicable derogation in law which permits the transfer in the absence of an 
adequacy decision or an appropriate safeguard. 


Automated decision-making 


We do not envisage that any decisions will be taken about you based solely on automated means, 
however we will notify you in writing if this position changes. 


How long we keep your data 


We retain your personal information for as long as necessary to fulfil the purposes we collected it 
for, including for the purpose of satisfying any legal, accounting or reporting requirements. 


Details of expected retention periods for the different categories of your personal information that 
we hold are set out in our Record of Processing Activity. 





Retention periods may increase as a result of legislative changes, e.g. an increase in limitation 
periods for legal claims would mean that the College is required to retain certain categories of 
personal data for longer. Any such changes will be reflected in updated versions of our Record of 
Processing Activity. 


If there are legal proceedings, a regulatory or criminal investigation, suspected criminal activity, or 
relevant requests under data protection or freedom of information legislation, it may be necessary 
for us to suspend the deletion of data until the proceedings, investigation or request have been fully 
disposed of. 


Please note that we may keep anonymised statistical data indefinitely, but you cannot be identified 
from such data. 


Your legal rights over your data 


Subject to certain conditions and exceptions set out in UK data protection law, you have: 

e The right to request access to a copy of your data, as well as to be informed of various 
information about how your data is being used; 

e The right to have any inaccuracies in your data corrected, which may include the right to 
have any incomplete data completed; 

e The right to have your personal data erased in certain circumstances; 

e The right to have the processing of your data suspended, for example if you want us to 
establish the accuracy of the data we are processing. 

e The right to receive a copy of data you have provided to us, and have that transmitted to 
another data controller (for example, another University or College). 

e The right to object to any direct marketing (for example, email marketing or phone calls) 
by us, and to require us to stop such marketing. 

e The right to object to the processing of your information if we are relying on a “legitimate 
interest” for the processing or where the processing is necessary for the performance of a 
task carried out in the public interest. The lawful basis for any particular processing activity 
we carry out is set out in our detailed table of processing activities. 

e The right to object to any automated decision-making about you which produces legal 
effects or otherwise significantly affects you. 

e Where the lawful basis for processing your data is consent, you have the right to withdraw 





your consent at any time. This will not affect the validity of any lawful processing of your 
data up until the time when you withdrew your consent. You may withdraw your consent 
by contacting the Data Protection Officer. 


If you wish to exercise any of your rights in relation to your data as processed by the College please 
contact our Data Protection Officer. Some of your rights are not automatic, and we reserve the 
right to discuss with you why we might not comply with a request from you to exercise them. 


Further guidance on your rights is available from the Information Commissioner’s Office 
(https://.ico.org.uk/). You have the right to complain to the UK’s supervisory office for data 





protection, the Information Commissioner’s Office at https://ico.org.uk/concerns/ if you believe 
that your data has been processed unlawfully. 





Future changes to this privacy notice 


We may need to update this notice from time to time, for example if the law or regulatory 
requirements change, if technology changes or to make the University’s operations and procedures 
more efficient. If the change is material, we will give you not less than two months’ notice of the 
change so that you can exercise your rights, if appropriate, before the change comes into effect. We 
will notify you of the change by email (or post if we have no email address for you). 


Version control: V.1.0 (May 2018) 


